Organizations strive to ensure secure and convenient user access to services or accounts. With the proliferation of identity theft and the growing emphasis on convenience, organizations are forced to find a balance between gathering enough identifying information and making the services or accounts accessible to users. Regulations and business rules may govern how much or what identifying information the user must provide depending upon the nature of the activity that is requested.
Existing systems often sacrifice security for convenience. For example, users may be required to provide a login, password, and answer a secret question simply to view current interest rates. Thus, although the user may be engaging in a low-risk activity, the user may be required to provide an excessive amount of information. Additionally, the risk level of an activity may vary with the user, depending on past behaviors or account preferences.
Further complicating the balance between security and convenience is that organizations have various channels in which users may interact with the organization. For example, users may perform activities related to an account at the organization over the phone, through an internet portal, by mobile phone application, or by face to face contact at a brick and mortar building. Thus, with the different means of interaction and access, organizations must provide various methods of verifying the user's identity.
This creates a need for a flexible way to verify user identity that provides a sufficient level of both security and convenience. Therefore, this disclosure describes a dynamic risk engine for determining when there is sufficient identifying information for a user to engage in a restricted activity and to facilitate equitable comparisons of trust across multiple users, computing devices, and/or channels.